Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Expose PostgREST's `pre-request` config option to enable revoking long-lived tokens
See original GitHub issueFeature request
Expose PostgREST’s pre-request config option to enable revoking long-lived tokens
Is your feature request related to a problem? Please describe.
This issue is based on this discussion: https://github.com/supabase/supabase/discussions/3205
There is more detail in the discussion linked above, but to summarize my use case:
- I’d like to give long-lived JWTs to users of my webapp to use as API keys (akin to Stripe tokens or Supabase’s
service_roletoken) - I’d like to let users revoke and regenerate these tokens in my webapp’s UI (so they can handle security issues on their end, like leaks or employee offboarding)
- Supabase currently has no way to apply some security middleware (e.g. to check “is this request’s token/claim in my list of revoked tokens?”)
There are similar use cases, like this discussion https://github.com/supabase/supabase/discussions/2265 about wanting to revoke a service_role JWT (without needing to contact supabase support to do so).
Describe the solution you’d like
As suggested in PostgREST’s docs on revocation, it would be nice to have a pre-request function that can run for all API requests. Maybe this option could be exposed in the Supabase Admin UI as a new API setting? Or, maybe this option could be specified in the database via PostgREST’s In-Database Configuration, though this method seems to require SUPERUSER.
Describe alternatives you’ve considered
As described in the github discussion (https://github.com/supabase/supabase/discussions/3205), an alternative would be to add a revocation-check policy to every table, which is not-DRY and is error-prone due to the duplication, as well as bad for performance (if a single request makes many queries, or even a single query across many tables, the revocation check is evaluated repeatedly).
Other alternatives I can think of would be even worse (e.g. putting a revocation-checking proxy service in front of the Supabase API, sending all API requests to some database function that does revocation-checking then dispatches to other tables, e.g. /rpc/dispatcher?table=profiles&payload=...).
Additional context
It looks like y’all are already working on exposing other PostgREST config options, like db-schema according to this discussion: https://github.com/supabase/supabase/discussions/1222
Implementing this feature request would hopefully share a lot of the same work and be not-too-onerous as a result! 🤞
Issue Analytics
- State:
- Created 2 years ago
- Reactions:12
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@psteinroe I had to run
ALTER ROLE postgresinstead ofALTER ROLE authenticatorto get this to work. Does this match your experience or what did you do to getALTER ROLE authenticatorto work?I just received answer from the (super awesome) supabase support and they hinted that db-pre-request can already be set!
and to reset
more details here!